GNU Simple Authentication and Security Layer

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
copy of the license is included in the section entitled “GNU Free
Documentation License”.

1 Introduction

This manual can be used in several ways. If read from the beginning
to the end, it gives the reader an understanding of the SASL framework
and the GNU SASL implementation, and how the GNU SASL library is used
in an application. Forward references are included where necessary.
Later on, the manual can be used as a reference manual to get just the
information needed about any particular interface of the library.
Experienced programmers might want to start looking at the examples at
the end of the manual, and then only read up those parts of the
interface which are unclear.

1.1 SASL Overview

SASL is a framework for application protocols, such as SMTP or IMAP,
to add authentication support. For example, SASL is used to prove to
the server who you are when you access an IMAP server to read your
e-mail.

The SASL framework does not specify the technology used to perform the
authentication, that is the responsibility for each SASL mechanism.
Popular SASL mechanisms include CRAM-MD5 and GSSAPI (for Kerberos V5).

Typically a SASL negotiation works as follows. First the client
requests authentication (possibly implicitly by connecting to the
server). The server responds with a list of supported mechanisms.
The client chose one of the mechanisms. The client and server then
exchange data, one round-trip at a time, until authentication either
succeeds or fails. After that, the client and server knows more about
who is on the other end of the channel.

Here the first three lines are sent by the server and contains the
list of supported mechanisms (DIGEST-MD5, CRAM-MD5, etc). The next
line is sent by the client to select the CRAM-MD5 mechanism. The
server replies with a challenge, which is a message that can be
generated by calling GNU SASL functions. The client replies with a
response, which also is a message that can be generated by GNU SASL
functions. Depending on the mechanism, there can be more than one
round trip, so do not assume all authentication exchanges consists of
one message from the server and one from the client. The server
accepts the authentication. At that point it knows it is talking to a
authenticated client, and the application protocol can continue.

Essentially, your application is responsible for implementing the
framing protocol (e.g., SMTP or XMPP) according to the particular
specifications. Your application uses GNU SASL to generate the
authentication messages.

1.2 Implementation

GNU SASL is an implementation of the Simple Authentication and
Security Layer framework and a few common SASL mechanisms.

GNU SASL consists of a library (libgsasl), a command line
utility (gsasl) to access the library from the shell, and a
manual. The library includes support for the framework (with
authentication functions and application data privacy and integrity
functions) and at least partial support for the ANONYMOUS, CRAM-MD5,
DIGEST-MD5, EXTERNAL, GS2-KRB5, GSSAPI, LOGIN, NTLM, PLAIN,
SCRAM-SHA-1, SCRAM-SHA-1-PLUS, SAML20, OPENID20, and SECURID
mechanisms.

The library is easily ported because it does not do network
communication by itself, but rather leaves it up to the calling
application. The library is flexible with regards to the
authorization infrastructure used, as it utilizes a callback into the
application to decide whether a user is authorized or not.

GNU SASL is developed for the GNU/Linux system, but runs on over 20
platforms including most major Unix platforms and Windows, and many
kind of devices including iPAQ handhelds and S/390 mainframes.

GNU SASL is written in pure ANSI C89 to be portable to embedded and
otherwise limited platforms. The entire library, with full support
for ANONYMOUS, EXTERNAL, PLAIN, LOGIN and CRAM-MD5, and the front-end
that supports client and server mode, and the IMAP and SMTP protocols,
fits in under 80kb on an Intel x86 platform, without any modifications
to the code. (This figure was accurate as of version 1.1.)

The design of the library and the intended interaction between
applications and the library through the official API is illustrated
below.

1.3 Features

GNU SASL might have a couple of advantages over other libraries doing
a similar job.

It's Free Software

Anybody can use, modify, and redistribute it under the terms of the
GNU General Public License version 3.0 or later. The library uses the
GNU Lesser General Public License version 2.1 or later.

It's thread-safe

No global variables are used and multiple library handles and session
handles may be used in parallel.

It's internationalized

It handles non-ASCII usernames and passwords and user visible strings
used in the library (error messages) can be translated into the users'
language.

It's portable

It should work on all Unix like operating systems, including Windows.
The library itself should be portable to any C89 system, not even
POSIX is required.

It's small

The library has been rewritten with embedded platforms in mind. For
example, no API consumes more than around 250 bytes of stack space.

Note that the library does not implement any policy to decide whether
a certain user is “authenticated” or “authorized” or not. Rather,
it uses a callback into the application to answer these questions.

Processing of non-ASCII usernames and passwords requires the SASLprep
implementation in LibIDN (http://www.gnu.org/software/libidn/).
This is needed for full conformance with the latest SASL protocol
drafts, but is optional in the library for improved portability.

Libgcrypt

The GNU SASL library ships with its own cryptographic implementation,
but it can use the one in libgcrypt (http://www.gnupg.org/)
instead, if it is available. This is typically useful for desktop
machines which have libgcrypt installed.

The command-line interface to GNU SASL requires a POSIX or Windows
platform for network connectivity. The command-line tool can make use
of GnuTLS (http://www.gnutls.org/) to support the STARTTLS modes
of IMAP and SMTP, but GnuTLS is not required.

Note that the library does not need a POSIX platform or network
connectivity.

1.8 Downloading and Installing

The latest version is stored in a file, e.g.,
‘gsasl-1.8.0.tar.gz’ where the ‘1.8.0’
value is the highest version number in the directory.

The package is then extracted, configured and built like many other
packages that use Autoconf. For detailed information on configuring
and building it, refer to the INSTALL file that is part of the
distribution archive.

Here is an example terminal session that downloads, configures, builds
and install the package. You will need a few basic tools, such as
‘sh’, ‘make’ and ‘cc’.

If your target system require a minimal implementation, you may wish
to disable the client or the server part of the code. This does not
remove symbols from the library, so if you attempt to call an
application that uses server functions in a library built with
--disable-server, the function will return an error code.

--disable-obsolete

Remove backwards compatibility (see Old Functions). Use if you
want to limit the size of the library.

1.8.1 Installing under Windows

There are two ways to build GNU SASL on Windows: via MinGW or via
Microsoft Visual Studio. Note that a binary release for Windows is
available from http://josefsson.org/gnutls4win/.

With MinGW, you can build a GNU SASL DLL and use it from other
applications. After installing MinGW (http://mingw.org/) follow
the generic installation instructions (see Downloading and Installing). The DLL is installed by default.

You can build GNU SASL as a native Visual Studio C++ project. This
allows you to build the code for other platforms that VS supports,
such as Windows Mobile. You need Visual Studio 2005 or later.

First download and unpack the archive as described in the generic
installation instructions (see Downloading and Installing). Don't
run ./configure. Instead, start Visual Studio and open the
project file lib/win32/libgsasl.sln inside the GNU SASL
directory. You should be able to build the project using Build
Project.

Output libraries will be written into the lib/win32/lib (or
lib/win32/lib/debug for Debug versions) folder.

Warning! Unless you build GNU SASL linked with libgcrypt, GNU SASL
uses the Windows function CryptGenRandom for generating
cryptographic random data. The function is known to have some
security weaknesses. See http://eprint.iacr.org/2007/419 for
more information. The code will attempt to use the Intel RND crypto
provider if it is installed, see lib/gl/gc-gnulib.c.

1.8.2 Kerberos on Windows

Building GNU SASL with support for Kerberos via GSS-API on Windows is
straight forward if you use GNU GSS and GNU Shishi as the Kerberos
implementation.

If you are using MIT Kerberos for Windows (KfW), getting GNU SASL to
build with Kerberos support is not straightforward because KfW does
not follow the GNU coding style and it has bugs that needs to be
worked around. We provide instructions for this environment as well,
in the hope that it will be useful for GNU SASL users.

Our instructions assumes you are building the software on a dpkg-based
GNU/Linux systems (e.g., gNewSense) using the MinGW cross-compiler
suite. These instructions were compiled for KfW version 3.2.2 which
were the latest as of 2010-09-25.

We assume that you have installed a normal build environment including
the MinGW cross-compiler. Download and unpack the KfW SDK like this:

The 'lt_cv_deplibs_check_method=pass_all' setting is required because
the KfW SDK does not ship with Libtool *.la files and is using
non-standard DLL names. The -DSSIZE_T_DEFINED is necessary
because the win-mac.h file would provide an incorrect duplicate
definitions of ssize_t otherwise. By passing
--with-gssapi-impl=kfw you activate other bug workarounds, such
as providing a GSS_C_NT_HOSTBASED_SERVICE symbol.

Build the software using:

$ make

If you have Wine installed and your kernel is able to invoke it
automatically for Windows programs, you can run the self tests. This
is recommended to make sure the build is sane.

$ make check

You may get error messages about missing DLLs, like this error:

err:module:import_dll Library gssapi32.dll (which is needed by L"Z:\\home\\jas\\src\\gsasl-1.5.2\\lib\\src\\.libs\\libgsasl-7.dll") not found

If that happens, you need to make sure that Wine can find the
appropriate DLL. The simplest solution is to copy the necessary DLLs
to ~/.wine/drive_c/windows/system32/.

You may now copy the following files onto the Windows machine (e.g.,
through a USB memory device):

lib/src/.libs/libgsasl-7.dll
src/.libs/gsasl.exe

The remaining steps are done on the Windows XP machine. Install KfW
and configure it for your realm. To make sure KfW is working
properly, acquire a user ticket and then remove it. For testing
purposes, you may use the realm 'interop.josefsson.org' with KDC
'interop.josefsson.org' and username 'user' and password 'pass'.

Change to the directory where you placed the files above, and invoke a
command like this:

gsasl.exe -d interop.josefsson.org

KfW should query you for a password, and the tool should negotiate
authentication against the server using GS2-KRB5.

1.9 Bug Reports

If you think you have found a bug in GNU SASL, please investigate it
and report it.

Please make sure that the bug is really in GNU SASL, and
preferably also check that it hasn't already been fixed in the latest
version.

You have to send us a test case that makes it possible for us to
reproduce the bug.

You also have to explain what is wrong; if you get a crash, or
if the results printed are not good and in that case, in what way.
Make sure that the bug report includes all information you would need
to fix this kind of bug for someone else.

Please make an effort to produce a self-contained report, with
something definite that can be tested or debugged. Vague queries or
piecemeal messages are difficult to act on and don't help the
development effort.

If your bug report is good, we will do our best to help you to get a
corrected version of the software; if the bug report is poor, we won't
do anything about it (apart from asking you to send better bug
reports).

If you think something in this manual is unclear, or downright
incorrect, or if the language needs to be improved, please also send a
note.

1.10 Contributing

If you want to submit a patch for inclusion – from solve a typo you
discovered, up to adding support for a new feature – you should
submit it as a bug report (see Bug Reports). There are some
things that you can do to increase the chances for it to be included
in the official package.

Unless your patch is very small (say, under 10 lines) we require that
you assign the copyright of your work to the Free Software Foundation.
This is to protect the freedom of the project. If you have not
already signed papers, we will send you the necessary information when
you submit your contribution.

For contributions that doesn't consist of actual programming code, the
only guidelines are common sense. Use it.

If you normally code using another coding standard, there is no
problem, but you should use ‘indent’ to reformat the code
(see GNU Indent) before submitting your work.

Use the unified diff format ‘diff -u’.

Return errors.
No reason whatsoever should abort the execution of the library. Even
memory allocation errors, e.g. when malloc return NULL,
should work although result in an error code.

Design with thread safety in mind.
Don't use global variables. Don't even write to per-handle global
variables unless the documented behaviour of the function you write is
to write to the per-handle global variable.

Avoid using the C math library.
It causes problems for embedded implementations, and in most
situations it is very easy to avoid using it.

Document your functions.
Use comments before each function headers, that, if properly
formatted, are extracted into Texinfo manuals and GTK-DOC web pages.

2 Preparation

To use GNU SASL, you have to perform some changes to your sources and
the build system. The necessary changes are small and explained in
the following sections. At the end of this chapter, it is described
how the library is initialized, and how the requirements of the
library are verified.

A faster way to find out how to adapt your application for use with
GNU SASL may be to look at the examples at the end of this manual
(see Examples).

2.1 Header

All interfaces (data types and functions) of the library are defined
in the header file gsasl.h. You must include this in all
programs using the library, either directly or through some other
header file, like this:

#include <gsasl.h>

The name space is gsasl_* for function names, Gsasl* for
data types and GSASL_* for other symbols. In addition the same
name prefixes with one prepended underscore are reserved for internal
use and should never be used by an application.

2.2 Initialization

The library must be initialized before it can be used. The library is
initialized by calling gsasl_init (see Global Functions).
The resources allocated by the initialization process can be released
if the application no longer has a need to call `Libgsasl' functions,
this is done by calling gsasl_done. For example:

In order to take advantage of the secure memory features in
Libgcrypt1, you
need to initialize secure memory in your application, and for some
platforms even make your application setuid root. See the Libgcrypt
documentation for more information. Here is example code to
initialize secure memory in your code:

If you do not do this, keying material will not be allocated in secure
memory (which, for most applications, is not the biggest secure
problem anyway). Note that the GNU SASL Library has not been audited
to make sure it stores passwords or keys in secure memory.

2.3 Version Check

It is often desirable to check that the version of the library used is
indeed one which fits all requirements. Even with binary
compatibility, new features may have been introduced but, due to
problem with the dynamic linker, an old version may actually be used.
So you may want to check that the version is okay right after program
startup.

This function is one of few in the library that can be used without
a successful call to gsasl_init().

Return value: Check that the version of the library is at
minimum the one given as a string in req_version and return the
actual version string of the library; return NULL if the
condition is not met. If NULL is passed to this function no
check is done and only the version string is returned.

The normal way to use the function is to put something similar to the
following early in your main:

2.4 Building the source

If you want to compile a source file including the gsasl.h
header file, you must make sure that the compiler can find it in the
directory hierarchy. This is accomplished by adding the path to the
directory in which the header file is located to the compilers include
file search path (via the -I option).

However, the path to the include file is determined at the time the
source is configured. To solve this problem, the library uses the
external package pkg-config that knows the path to the
include file and other configuration options. The options that need
to be added to the compiler invocation at compile time are output by
the --cflags option to pkg-config libgsasl. The
following example shows how it can be used at the command line:

gcc -c foo.c `pkg-config libgsasl --cflags`

Adding the output of ‘pkg-config libgsasl --cflags’ to the
compiler command line will ensure that the compiler can find the
gsasl.h header file.

A similar problem occurs when linking the program with the library.
Again, the compiler has to find the library files. For this to work,
the path to the library files has to be added to the library search
path (via the -L option). For this, the option
--libs to pkg-config libgsasl can be used. For
convenience, this option also outputs all other options that are
required to link the program with the library (for instance, the
‘-lidn’ option). The example shows how to link foo.o with
the library to a program foo.

gcc -o foo foo.o `pkg-config libgsasl --libs`

Of course you can also combine both examples to a single command by
specifying both options to pkg-config:

2.5 Autoconf tests

If you work on a project that uses Autoconf (see GNU Autoconf) to help find installed libraries, the
suggestions in the previous section are not the entire story. There
are a few methods to detect and incorporate the GNU SASL Library into
your Autoconf based package. The preferred approach, is to use
Libtool in your project, and use the normal Autoconf header file and
library tests.

2.5.1 Autoconf test via ‘pkg-config’

If your audience is a typical GNU/Linux desktop, you can often assume
they have the ‘pkg-config’ tool installed, in which you can use
its Autoconf M4 macro to find and set up your package for use with
Libgsasl. The following example illustrates this scenario.

2.5.2 Standalone Autoconf test using Libtool

If your package uses Libtool (see GNU Libtool), you
can use the normal Autoconf tests to find Libgsasl and rely on the
Libtool dependency tracking to include the proper dependency libraries
(e.g., Libidn). The following example illustrates this scenario.

3 Using the Library

Your application's use of the library can be roughly modeled into the
following steps: initialize the library, optionally specify the
callback, perform the authentication, and finally clean up. The
following image illustrates this.

The third step may look complex, but for a simple client it will
actually not involve any code. If your application needs to handle
several concurrent clients, or if it is a server that needs to serve
many clients simultaneous, things do get a bit more complicated.

For illustration, we will write a simple client. Writing a server
would be similar, the only difference is that, later on, instead of
supplying a username and password, you need to decide whether someone
should be allowed to log in or not. The code for what we have
discussed so far make up the main function in our client
(see Example 1):

Here, the call to the function client correspond to the third
step in the image above.

For a more complicated application, having several clients running
simultaneous, instead of a simple call to client, it may have
created new threads for each session, and call client within
each thread. The library is thread safe.

An actual authentication session is more complicated than what we have
seen so far. These are the steps: decide which mechanism to use,
start the session, optionally specify the callback, optionally set any
properties, perform the authentication loop, and clean up. Naturally,
your application will start to talk its own protocol (e.g., SMTP or
IMAP) after these steps have concluded.

The authentication loop is based on sending tokens (typically short
messages encoded in base 64) back and forth between the client and
server. It continues until authentication succeeds or an error
occurs. The format of the data to be transferred, the number of
iterations in the loop, and other details are specified by each
mechanism. The goal of the library is to isolate your application
from the details of all different mechanisms.

Note that the library does not send data to the server itself, but
returns it in an buffer. You must send it to the server, following an
application protocol profile. For example, the SASL application
protocol profile for SMTP is described in RFC 2554.

The following image illustrates the steps we have been talking about.

We will now show the implementation of the client function used
before.

This function is responsible for deciding which mechanism to use. In
this case, the ‘PLAIN’ mechanism is hard coded, but you will see
later how this can be made more flexible. The function creates a new
session, then it stores the username and password in the session
handle, then it calls another function client_authenticate to
handle the authentication loop, and finally it cleans up up. Let's
continue with the implementation of client_authenticate.

This last function needs to be discussed in some detail. First, you
should be aware that there are two versions of this function, that
differ in a subtle way. The version above (see Example 2) is used
for application profiles where the server sends data first. For some
mechanisms, this may waste a roundtrip, because the server needs input
from the client to proceed. Therefor, today the recommended approach
is to permit client to send data first (see Example 1). Which
version you should use depends on which application protocol you are
implementing.

Further, you should realize that it is bad programming style to use a
fixed size buffer. On GNU systems, you may use the getline
functions instead of fgets. However, in practice, there are
few mechanisms that use very large tokens. In typical configurations,
the mechanism with the largest tokens (GSSAPI) can use at least 500
bytes. A fixed buffer size of 8192 bytes may thus be sufficient for
now. But don't say I didn't warn you, when a future mechanism doesn't
work in your application, because of a fixed size buffer.

The function gsasl_step64 (and of course also gasl_step)
returns two non-error return codes. GSASL_OK is used for
success, indicating that the library considers the authentication
finished. That may include a successful server authentication,
depending on the mechanism. You must not let the client continue to
the application protocol part unless you receive GSASL_OK from
these functions. In particular, don't be fooled into believing
authentication were successful if the server replies “OK” but these
functions have failed with an error. The server may have been hacked,
and could be tricking you into sending confidential data, without
having successfully authenticated the server.

The non-error return code GSASL_NEEDS_MORE is used to signal to
your application that you should send the output token to the peer,
and wait for a new token, and do another iteration. If the server
concludes the authentication process, with no data, you should call
gsasl_step64 (or gsasl_step) specifying a zero-length
token.

If the functions (gsasl_step and gsasl_step64) return
any non-error code, the content of the output buffer is undefined.
Otherwise, it is the callers responsibility to deallocate the buffer,
by calling free. Note that in some situations, where the
buffer is empty, NULL is returned as the buffer value. You
should treat this as an empty buffer.

3.1 Choosing a mechanism

Our earlier code was hard coded to use a specific mechanism. This is
rarely a good idea. Instead, it is recommended to select the best
mechanism available from the list of mechanisms supported by the
server. Note that without TLS or similar, the list may have been
maliciously altered, by an attacker. This means that you should abort
if you cannot find any mechanism that exceeds your minimum security
level. There is a function gsasl_client_suggest_mechanism
(see Global Functions) that will try to pick the “best”
available mechanism from a list of mechanisms. Our simple interactive
example client (see Example 3) includes the following function to
decide which mechanism to use. Note that the code doesn't blindly use
what is returned from gsasl_client_suggest_mechanism, rather it
lets some logic (in this case the user, through an interactive query)
decide which mechanism is acceptable.

3.2 Using a callback

This may work for simple mechanisms, that need only a username and a
password. But some mechanism requires more information, such as an
authorization identity, a special PIN or passcode, a realm, a
hostname, a service name, or an anonymous identifier. Querying the
user for all that information, without knowing exactly which of it is
really needed will result in a poor user interface. The user should
not have to input private information, if it isn't required.

The approach is a bad idea for another reason. What if the server
aborts the authentication process? Then your application has already
queried the user for a username and password. It would be better if
you only asked the user for this information, annoying to input, when
it is known to be needed.

A better approach to this problem is to use a callback. Then the
mechanism may query your application whenever it needs some
information, like the username and password. It will only do this at
the precise step in the authentication when the information is
actually needed. Further, if the user aborts, e.g., a password
prompt, the mechanism is directly informed of this (because it invoked
the callback), and could recover somehow.

Which properties you should handle is up to you. If you don't know how
to respond to a certain property, simply return
GSASL_NO_CALLBACK. The basic properties to support are
authentication identity (GSASL_AUTHID), authorization identity
(GSASL_AUTHZID), and password (GSASL_PASSWORD).
See Properties, for the list of all properties, and what your callback
should (ideally) do for them, and which properties each mechanism
require in order to work.

4 Properties

The library uses a concept called “properties” to request and pass
data between the application and the individual authentication
mechanisms. The application can set property values using the
gsasl_property_set function. If a mechanism needs a property
value the application has not yet provided, this is handled through a
callback. The application provides a callback, using
gsasl_callback_set, which will be invoked with a property
parameter. The callback should set the property before returning, or
fail. See Callback Functions, for more information.

There are two kind of properties. The first, a “data property” is
the simplest to understand because it normally refers to short
strings. For example, the property called GSASL_AUTHID
correspond to the username string, e.g., simon.

The latter properties, called “logical properties”, are used by the
server to make a authentication decision, and is used as a way to get
the application callback invoked. For example, the property
GSASL_VALIDATE_SIMPLE is used by the server-side part of
mechanisms like PLAIN. The purpose is to ask the server
application to decide whether the user should be authenticated
successfully or not. The callback typically look at other property
fields, such as GSASL_AUTHID and GSASL_PASSWORD, and
compare those values with external information (for example data
stored in a database or on a LDAP server) and then return OK or not.

Warning: Don't expect that all mechanisms invoke one of the logical properties
in the server mode. For example, the CRAM-MD5 and SCRAM-SHA-1
mechanisms will use the data properties (i.e., username and password)
provided by the application to internally decide whether to
successfully authenticate the user. User authorization decisions
needs to be made by the application outside of the SASL mechanism
negotiation.

The logical properties are currently only used by servers, but data
properties are used by both client and servers. It makes sense to
think about the latter category as ‘server properties’ but the
reverse is not valid nor useful.

The semantics associated with a data property is different when it is
used in client context and in the server context. For example, in the
client context, the application is expected to set the property
GSASL_AUTHID to signal to the mechanism the username to use,
but in the server context, the GSASL_AUTHID property is set by
the mechanism and can be used by the application (in the callback) to
find out what username the client provided.

Below is a list of all properties and an explanation for each. First
is the list of data properties:

GSASL_AUTHID

The authentication identity.

GSASL_AUTHZID

The authorization identity.

GSASL_PASSWORD

The password of the authentication identity.

GSASL_ANONYMOUS_TOKEN

The anonymous token. This is typically the email address of the user.

GSASL_SERVICE

The registered GSSAPI service name of the application service,
e.g. “imap”. While the names are registered for GSSAPI, other
mechanisms such as DIGEST-MD5 may also use this.

GSASL_HOSTNAME

Should be the local host name of the machine.

GSASL_GSSAPI_DISPLAY_NAME

Contain the GSSAPI “display name”, set by the server GSSAPI
mechanism. Typically you retrieve this property in your callback,
when invoked for GSASL_VALIDATE_GSSAPI.

GSASL_REALM

The name of the authentication domain. This is used by several
mechanisms, including DIGEST-MD5, GSS-API, KERBEROS_V5 and NTLM.

GSASL_PASSCODE

The SecurID passcode.

GSASL_PIN

The SecurID personal identification number (PIN).

GSASL_SUGGESTED_PIN

A SecurID personal identification number (PIN) suggested by the server.

GSASL_DIGEST_MD5_HASHED_PASSWORD

For the DIGEST-MD5 mechanism, this is a hashed password. It is used
in servers to avoid storing clear-text credentials.

GSASL_QOPS

The DIGEST-MD5 server query for this property to get the set of
quality of protection (QOP) values to advertise. The property holds
strings with comma separated keywords denoting the set of qops to use,
for example qop-auth, qop-int. Valid keywords are
qop-auth, qop-int, and qop-conf.

GSASL_QOP

The DIGEST-MD5 client query for this property to get the quality of
protection (QOP) values to request. The property value is one of the
keywords for GSASL_QOPS. The client must chose one of the QOP
values offered by the server (which may be inspected through the
GSASL_QOPS property).

GSASL_SCRAM_SALTED_PASSWORD

The SCRAM-SHA-1 client requests this property from the application,
and the value should be 40 character long hex-encoded string with the
user's hashed password. Note that the value is different for the same
password for each value of the GSASL_SCRAM_ITER and
GSASL_SCRAM_ITER properties. The property can be used to avoid
storing a clear-text credential in the client. If the property is not
available, the client will ask for the GSASL_PASSWORD property
instead.

GSASL_SCRAM_ITER

GSASL_SCRAM_ITER

In the server, the application can set these properties to influence
the hash iteration count and hash salt to use when deriving the
password. The default hash iteration count is 4096 and normally you
should not need to use a lower setting. The salt should be a random
string. In the client, the SCRAM-SHA-1 mechanism set these properties
before asking for asking the application to provide a
GSASL_SCRAM_SALTED_PASSWORD value.

GSASL_CB_TLS_UNIQUE

This property holds base64 encoded tls-unique channel binding
data. As a hint, if you use GnuTLS, the API
gnutls_session_channel_binding can be used to extract channel
bindings for a session.

GSASL_SAML20_IDP_IDENTIFIER

This property holds the SAML identifier of the user. The SAML20
mechanism in client mode will send it to the other end for
identification purposes, and in server mode it will be accessible in
the GSASL_SAML20_REDIRECT_URL callback.

GSASL_SAML20_REDIRECT_URL
This property holds the SAML redirect URL that the server wants the
client to access. It will be available in the
GSASL_SAML20_AUTHENTICATE_IN_BROWSER callback for the client.

GSASL_OPENID20_REDIRECT_URL
This property holds the SAML redirect URL that the server wants the
client to access. It will be available in the
GSASL_OPENID20_AUTHENTICATE_IN_BROWSER callback for the client.

GSASL_OPENID20_OUTCOME_DATA
OpenID 2.0 authentication outcome data. This is either the OpenID
SREG values or a value list starting with "openid.error=" to
signal error.

Next follows a list of data properties used to trigger the callback,
typically used in servers to validate client credentials:

GSASL_VALIDATE_SIMPLE

Used by multiple mechanisms in server mode. The callback may retrieve
the GSASL_AUTHID, GSASL_AUTHZID and
GSASL_PASSWORD property values and use them to make an
authentication and authorization decision.

GSASL_VALIDATE_EXTERNAL

Used by EXTERNAL mechanism on the server side to validate the client.
The GSASL_AUTHID will contain the authorization identity of the
client.

GSASL_VALIDATE_ANONYMOUS

Used by ANONYMOUS mechanism on the server side to validate the client.
The GSASL_ANONYMOUS_TOKEN will contain token that identity the client.

GSASL_VALIDATE_GSSAPI

Used by the GSSAPI and GS2-KRB5 mechanisms on the server side, to
validate the client. You may retrieve the authorization identity from
GSASL_AUTHZID and the GSS-API display name from
GSASL_GSSAPI_DISPLAY_NAME.

GSASL_VALIDATE_SECURID

Used by SECURID mechanism on the server side to validate client. The
GSASL_AUTHID, GSASL_AUTHZID, GSASL_PASSCODE, and GSASL_PIN will be
set. It can return GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE to
ask the client to supply another passcode, and
GSASL_SECURID_SERVER_NEED_NEW_PIN to require the client to supply a
new PIN code.

GSASL_VALIDATE_SAML20

Used by the SAML20 mechanism on the server side to request that the
application perform authentication. The callback should return
GSASL_OK if the user should be permitted access, and
GSASL_AUTHENTICATION_ERROR (or another error code) otherwise.

GSASL_VALIDATE_OPENID20

Used by the OPENID20 mechanism on the server side to request that the
application perform authentication. The callback should return
GSASL_OK if the user should be permitted access, and
GSASL_AUTHENTICATION_ERROR (or another error code) otherwise.

GSASL_SAML20_AUTHENTICATE_IN_BROWSER
Used by the SAML20 mechanism in the client side to request that the
client should launch the SAML redirect URL (the
GSASL_SAML20_REDIRECT_URL property) in a browser to continue
with authentication.

GSASL_OPENID20_AUTHENTICATE_IN_BROWSER
Used by the OPENID20 mechanism in the client side to request that the
client should launch the OpenID redirect URL (the
GSASL_OPENID20_REDIRECT_URL property) in a browser to continue
with authentication.

5 Mechanisms

Different SASL mechanisms have different requirements on the
application using it. To handle these differences the library can use
a callback function into your application in several different ways.
Some mechanisms, such as ‘PLAIN’, are simple to explain and use.
The client callback queries the user for a username and password. The
server callback hands the username and password into any local policy
deciding authentication system (such as /etc/passwd via PAM).

Mechanism such as ‘CRAM-MD5’ and ‘SCRAM-SHA-1’ uses hashed
passwords. The client callback behaviour is the same as for PLAIN.
However, the server does not receive the plain text password over the
network but rather a hash of it. Existing policy deciding systems
like PAM cannot handle this, so the server callback for these
mechanisms are more complicated.

Further, mechanisms like GSSAPI/GS2-KRB5 (Kerberos 5) assume a
specific authentication system. In theory this means that the SASL
library would not need to interact with the application, but rather
call this specific authentication system directly. However, some
callbacks are supported anyway, to modify the behaviour of how the
specific authentication system is used (i.e., to handle “super-user”
login as some other user).

Some mechanisms, like ‘EXTERNAL’ and ‘ANONYMOUS’ are
entirely dependent on callbacks.

5.1 The EXTERNAL mechanism

The EXTERNAL mechanism is used to authenticate a user to a server
based on out-of-band authentication. EXTERNAL is typically used over
TLS authenticated channels. Note that in the server, you need to make
sure that TLS actually authenticated the client successfully. It is
normally not sufficient to use TLS, since it also supports anonymous
modes.

In the client, this mechanism is always enabled, and it will send the
GSASL_AUTHZID property as the authorization name to the server,
if the property is set. If the property is not set, the empty
authorization name is sent. You need not implement a callback.

In the server, this mechanism will request the
GSASL_VALIDATE_EXTERNAL callback property to decide whether the
client is authenticated and authorized to log in. Your callback can
retrieve the GSASL_AUTHZID property to inspect the requested
authorization name from the client.

5.2 The ANONYMOUS mechanism

The ANONYMOUS mechanism is used to “authenticate” clients to
anonymous services; or rather, just indicate that the client wishes to
use the service anonymously. The client sends a token, usually her
email address, which serve the purpose of some trace information
suitable for log files. The token is not permitted to be empty.

In the client, this mechanism is always enabled, and will send the
GSASL_ANONYMOUS_TOKEN property as the trace information to the
server.

In the server, this mechanism will invoke the
GSASL_VALIDATE_ANONYMOUS callback to decide whether the client
should be permitted to log in. Your callback can retrieve the
GSASL_ANONYMOUS_TOKEN property to, for example, save it in a
log file. The token is normally not used to decide whether the client
should be permitted to log in or not.

5.3 The PLAIN mechanism

The PLAIN mechanism uses username and password to authenticate users.
Two user names are relevant. The first, the authentication identity,
indicates the credential holder, i.e., whom the provided password
belongs to. The second, the authorization identity, is typically
empty, to indicate that the user requests to log on to the server as
herself. However, if the authorization identity is not empty, the
server should decide whether the authenticated user may log on as the
authorization identity. Normally, only “super-user” accounts such
as ‘admin’ or similar should be allowed this.

In the client, this mechanism is always enabled, and require the
GSASL_AUTHID and GSASL_PASSWORD properties. If set,
GSASL_AUTHZID will also be used.

In the server, the mechanism is always enabled. Two approaches to
authenticate and authorize the client are provided.

In the first approach, the server side of the mechanism will request
the GSASL_VALIDATE_SIMPLE callback property to decide whether
the client should be accepted or not. The callback may inspect the
GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSWORD
properties. These property values will be normalized.

If the first approach fails (because, e.g., your callback returns
‘GSASL_NO_CALLBACK’ to signal that it does not implement
GSASL_VALIDATE_SIMPLE) the mechanism will continue to query the
application for a password, via the GSASL_PASSWORD property.
Your callback may use the GSASL_AUTHID and GSASL_AUTHZID
properties to select the proper password. The password is then
normalized and compared to the client credential.

Which approach to use? If your database stores hashed passwords, you
have no option, but must use the first approach. If passwords in your
user database are stored in prepared (SASLprep) form, the
first approach will be faster. If you do not have prepared passwords
available, you can use the second approach to make sure the password
is prepared properly before comparison.

5.4 The LOGIN mechanism

The LOGIN mechanism is a non-standard mechanism, and is similar to the
PLAIN mechanism except that LOGIN lacks the support for authorization
identities. Always use PLAIN instead of LOGIN in new applications.

The callback behaviour is the same as for PLAIN, except that
GSASL_AUTHZID is neither used nor required, and that the server
does not normalize the password using SASLprep.

5.5 The CRAM-MD5 mechanism

The CRAM-MD5 is a widely used, but officially deprecated (apparently
in favor of DIGEST-MD5), challenge-response mechanism that transfers
hashed passwords instead of clear text passwords. For insecure
channels (e.g., when TLS is not used), it is safer than
PLAIN. The CRAM-MD5 mechanism does not support authorization
identities; making the relationship between CRAM-MD5 and DIGEST-MD5
similar to the relationship between LOGIN and PLAIN.

The disadvantage with hashed passwords is that the server cannot use
normal authentication infrastructures such as PAM, because the server
must have access to the correct password in order to validate an
authentication attempt.

In the client, this mechanism is always enabled, and it requires the
GSASL_AUTHID and GSASL_PASSWORD properties.

In the server, the mechanism will require the GSASL_PASSWORD
callback property, which may use the GSASL_AUTHID property to
determine which users' password should be used. The
GSASL_AUTHID will be in normalized form. The server will then
normalize the returned password, and compare the client response with
the computed correct response, and accept the user accordingly.

See Use of SASLprep in CRAM-MD5, for a clarification on the
interpretation of the CRAM-MD5 specification that this implementation
rely on.

5.6 The DIGEST-MD5 mechanism

The DIGEST-MD5 mechanism is based on repeated hashing using MD5, which
after the MD5 break may be argued to be weaker than HMAC-MD5, but
supports more features. For example, authorization identities and
data integrity and privacy protection are supported. Like CRAM-MD5,
only a hashed password is transferred. Consequently, DIGEST-MD5 needs
access to the correct password (although it may be hashed, another
improvement compared to CRAM-MD5) to verify the client response.
Alas, this makes it impossible to use, e.g., PAM on the
server side.

In the client, this mechanism is always enabled, and it requires the
GSASL_AUTHID, GSASL_PASSWORD, GSASL_SERVICE, and
GSASL_HOSTNAME properties. If set, GSASL_AUTHZID and
GSASL_REALM will also be used.

In the server, the mechanism will first request the
GSASL_DIGEST_MD5_HASHED_PASSWORD callback property to get the
user's hashed password. If the callback doesn't supply a hashed
password, the GSASL_PASSWORD callback property will be
requested. Both callbacks may use the GSASL_AUTHID,
GSASL_AUTHZID and GSASL_REALM properties to determine
which users' password should be used. The server will then compare
the client response with a computed correct response, and accept the
user accordingly.

The server uses the GSASL_QOPS callback to get the set of
quality of protection values to use. By default, it advertises
support for authentication (qop-auth) only. You can use the
callback, for example, to make the server advertise support for
authentication with integrity layers.

The client uses the GSASL_QOP callback to get the quality of
protection value to request. The client must choose one of the QOP
values offered by the server (which may be inspected through the
GSASL_QOPS property). If the client does not return a value,
qop-auth is used by default.

5.7 The SCRAM-SHA-1 mechanism

The SCRAM-SHA-1 mechanism is designed to provide (almost) the same
capabilities as CRAM-MD5 and DIGEST-MD5 but use modern cryptographic
techniques such as HMAC-SHA-1 hashing and PKCS#5 PBKDF2 key
derivation. SCRAM-SHA-1 supports authorization identities. Like
CRAM-MD5 and DIGEST-MD5, only a hashed password is transferred.
Consequently, SCRAM-SHA-1 needs access to the correct password to
verify the client response. Channel bindings are supported through
the SCRAM-SHA-1-PLUS mechanism.

In the client, the non-PLUS mechanism is always enabled, and it
requires the GSASL_AUTHID property, and either
GSASL_PASSWORD or GSASL_SCRAM_SALTED_PASSWORD. When the
GSASL_CB_TLS_UNIQUE property is available, the SCRAM-SHA-1-PLUS
mechanism is also available and it will negotiate channel bindings
when the server also supports it. If set, GSASL_AUTHZID will
be used by the client. To be able to return the proper
GSASL_SCRAM_SALTED_PASSWORD value, the client needs to check
the GSASL_SCRAM_ITER and GSASL_SCRAM_SALT values which
are available when the GSASL_SCRAM_SALTED_PASSWORD property is
queried for.

In the server, the mechanism will require the GSASL_PASSWORD
callback property, which may use the GSASL_AUTHID property to
determine which users' password should be used. The
GSASL_AUTHID will be in normalized form. The server will then
normalize the returned password, and compare the client response with
the computed correct response, and accept the user accordingly. The
server may also set the GSASL_SCRAM_ITER and
GSASL_SCRAM_SALT properties to influence the values to be used
by clients to derive a key from a password. When the
GSASL_CB_TLS_UNIQUE property is set, the SCRAM-SHA-1-PLUS
mechanism is supported and is used to negotiate channel bindings.

The GSASL_CB_TLS_UNIQUE property signal that this side of the
authentication supports channel bindings. Setting the property will
enable the SCRAM-SHA-1-PLUS mechanism. For clients, this also
instructs the SCRAM-SHA-1 mechanism to tell servers that the client
believes the server does not support channel bindings if it is used
(remember that clients should otherwise have chosen the
SCRAM-SHA-1-PLUS mechanism instead of the SCRAM-SHA-1 mechanism). For
servers, it means the SCRAM-SHA-1 mechanism will refuse to
authenticate against a client that signals that it believes the server
does not support channel bindings.

The SCRAM-SHA-1-PLUS mechanism will never complete authentication
successfully if channel bindings are not confirmed.

5.8 The NTLM mechanism

The NTLM is a non-standard mechanism. Do not use it in new
applications, and do not expect it to be secure. Currently only the
client side is supported.

In the client, this mechanism is always enabled, and it requires the
GSASL_AUTHID and GSASL_PASSWORD properties. It will set
the ‘domain’ field in the NTLM request to the value of
GSASL_REALM. Some servers reportedly need non-empty but
arbitrary values in that field.

5.9 The SECURID mechanism

The SECURID mechanism uses authentication and authorization identity
together with a passcode from a hardware token to authenticate users.

In the client, this mechanism is always enabled, and it requires the
GSASL_AUTHID and GSASL_PASSCODE properties. If set,
GSASL_AUTHZID will also be used. If the server requests it,
the GSASL_PIN property is also required, and its callback may
inspect the GSASL_SUGGESTED_PIN property to discover a
server-provided PIN to use.

In the server, this mechanism will invoke the
GSASL_VALIDATE_SECURID callback. The callback may inspect the
GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSCODE
properties. The callback can return
GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE to ask for
another additional passcode from the client. The callback can return
GSASL_SECURID_SERVER_NEED_NEW_PIN to ask for a new PIN code
from the client, in which case it may also set the
GSASL_SUGGESTED_PIN property to indicate a recommended new PIN.
If the callbacks is invoked again, after having returned
GSASL_SECURID_SERVER_NEED_NEW_PIN, it may also inspect the
GSASL_PIN property, in addition to the other properties, to
find out the client selected PIN code.

5.10 The GSSAPI mechanism

The GSSAPI mechanism allows you to authenticate using Kerberos V5.
The mechanism was originally designed to allow for any GSS-API
mechanism to be used, but problems with the protocol made it
unpractical and it is today restricted for use with Kerberos V5. See
the GS2 mechanism (see GS2-KRB5) for a general solution.

In the client, the mechanism is enabled only if the user has acquired
credentials (i.e., a ticket granting ticket), and it requires the
GSASL_AUTHID, GSASL_SERVICE, and GSASL_HOSTNAME
properties.

In the server, the mechanism requires the GSASL_SERVICE and
GSASL_HOSTNAME properties, and it will invoke the
GSASL_VALIDATE_GSSAPI callback property in order to validate
the user. The callback may inspect the GSASL_AUTHZID and
GSASL_GSSAPI_DISPLAY_NAME properties to decide whether to
authorize the user. Note that authentication is performed by the
GSS-API library.

5.11 The GS2-KRB5 mechanism

GS2 is a protocol bridge between GSS-API and SASL, and allows every
GSS-API mechanism that supports mutual authentication and channel
bindings to be used as a SASL mechanism. Currently we support the
GS2-KRB5 mechanism, for Kerberos V5 authentication, however our GS2
implementation is flexible enough to easily support other GSS-API
mechanism if any gains popularity.

In the client, the mechanism is enabled only if the user has acquired
credentials (i.e., a ticket granting ticket), and it requires the
GSASL_AUTHID, GSASL_SERVICE, and GSASL_HOSTNAME
properties.

In the server, the mechanism requires the GSASL_SERVICE and
GSASL_HOSTNAME properties, and it will invoke the
GSASL_VALIDATE_GSSAPI callback property in order to validate
the user. The callback may inspect the GSASL_AUTHZID and
GSASL_GSSAPI_DISPLAY_NAME properties to decide whether to
authorize the user. Note that authentication is performed by the
GSS-API library.

The GS2 framework supports a variant of each mechanism, called the
PLUS variant, which can also bind the authentication to a secure
channel through channel bindings. Currently this is not supported by
GNU SASL.

5.12 The SAML20 mechanism

The SAML20 mechanism makes it possible to use SAML in SASL, in a way
that offloads the authentication exchange to an external browser. The
protocol implemented is as specified in RFC 6595.

The mechanism makes use of the following properties: GSASL_AUTHZID,
GSASL_SAML20_IDP_IDENTIFIER, GSASL_SAML20_REDIRECT_URL,
GSASL_SAML20_AUTHENTICATE_IN_BROWSER and
GSASL_VALIDATE_SAML20.

In client mode, the mechanism will retrieve the GSASL_AUTHZID and
GSASL_SAML20_IDP_IDENTIFIER properties and form a request to the
server. The server will respond with a redirect URL stored in the
GSASL_SAML20_REDIRECT_URL property, which the client can retrieve
from the GSASL_SAML20_AUTHENTICATE_IN_BROWSER callback. The
intention is that the client launches a browser to the given URL, and
then proceeds with authentication. The server responds whether
authentication was successful or not.

In server mode, the mechanism will invoke the
GSASL_SAML20_REDIRECT_URL callback and the application can
inspect the GSASL_AUTHZID and GSASL_SAML20_IDP_IDENTIFIER
properties when forming the redirect URL. The URL is passed to the
client which will hopefully complete authentication in the browser. The
server callback GSASL_VALIDATE_SAML20 should check whether the
authentication attempt was successful.

Note that SAML itself is not implemented by the GNU SASL library. On
the client side, no SAML knowledge is needed, it is only required on the
server side. The client only needs to be able to start a browser
accessing the redirect URL. The server side is expected to call a SAML
library of your choice to generate the AuthRequest and to implement an
AssertionConsumerService to validate the AuthResponse. There is a
complete proof-of-concept example of a SMTP server with SAML 2.0 support
distributed with GNU SASL in the examples/saml20/ sub-directory. It
uses the Lasso SAML implementation (http://lasso.entrouvert.org/).
The example may be used as inspiration for your own server
implementation. The gsasl command line client supports SAML20 as
a client.

5.13 The OPENID20 mechanism

The OPENID20 mechanism makes it possible to use OpenID in SASL, in a way
that offloads the authentication exchange to an external browser. The
protocol implemented is as specified in RFC 6616.

The mechanism makes use of the following properties:
GSASL_AUTHID (for the OpenID User-Supplied Identifier),
GSASL_AUTHZID, GSASL_OPENID20_REDIRECT_URL,
GSASL_OPENID20_OUTCOME_DATA,
GSASL_OPENID20_AUTHENTICATE_IN_BROWSER, and
GSASL_VALIDATE_OPENID20.

In the client, the mechanism is enabled by default. The
GSASL_AUTHID property is required and should contain the
User-Supplied OpenID Identifier (for example
http://josefsson.org). If set, GSASL_AUTHZID will be
used by the client. The client will be invoked with the
GSASL_OPENID20_AUTHENTICATE_IN_BROWSER callback to perform the
OpenID authentication in a web browser. The callback can retrieve the
GSASL_OPENID20_REDIRECT_URL property to find out the URL to
redirect the user to. After authentication, the client can retrieve
the GSASL_OPENID20_OUTCOME_DATA property with the OpenID Simple
Registry (SREG) attributes sent by the server (they are not always
sent).

In the server, the mechanism is enabled by default. The server will
request the GSASL_OPENID20_REDIRECT_URL property, and your
callback may inspect the GSASL_AUTHID to find the OpenID
User-Supplied Identifier. The server callback should perform OpenID
discovery and return the URL to redirect the user to. After this, the
user would access the URL and proceed with authentication in the
browser. The server is invoked with the
GSASL_VALIDATE_OPENID20 callback to perform the actual
validation of the authentication. Usually the callback will perform
some IPC communication with an OpenID consumer running in a web
server. The callback should return GSASL_OK on successful
authentication and GSASL_AUTHENTICATION_ERROR on authentication
errors, or any other error code. If the server received some OpenID
Simple Registry (SREG) attributes from the OpenID Identity Provider,
it may use the GSASL_OPENID20_OUTCOME_DATA property to send
these to the client.

Note that OpenID itself is not implemented by the GNU SASL library. On
the client side, no OpenID knowledge is required, it is only required on
the server side. The client only needs to be able to start a browser
accessing the redirect URL. The server side is expected to use an
OpenID library of your choice to generate the redirect URL and to
implement the Service Provider to validate the response from the IdP.
There is a complete proof-of-concept example with a SMTP server with
OpenID 2.0 support distributed with GNU SASL in the examples/openid20/
sub-directory. It uses the JanRain PHP5 OpenID implementation. The
example may be used as inspiration for your own server implementation.
The gsasl command line client supports OPENID20 as a client.

5.14 The KERBEROS_V5 mechanism

The KERBEROS_V5 is an experimental mechanism, the protocol
specification is available on the GNU SASL homepage. It can operate
in three modes, non-infrastructure mode, infrastructure mode and
proxied infrastructure mode. Currently only non-infrastructure mode
is supported.

In the non-infrastructure mode, it works as a superset of most
features provided by PLAIN, CRAM-MD5, DIGEST-MD5 and GSSAPI while at
the same time building on what is believed to be proven technology
(the RFC 1510 network security system). In the non-infrastructure
mode, the client must specify (via callbacks) the name of the user,
and optionally the server name and realm. The server must be able to
retrieve passwords given the name of the user.

In the infrastructure mode (proxied or otherwise), it allows clients
and servers to authenticate via SASL in an RFC 1510 environment, using
a trusted third party, a “Key Distribution Central”. In the normal
mode, clients acquire tickets out of band and then invokes a one
roundtrip AP-REQ and AP-REP exchange. In the proxied mode, which can
be used by clients without IP addresses or without connectivity to the
KDC (e.g., when the KDC is IPv4 and the client is IPV6-only), the
client uses the server to proxy ticket requests and finishes with the
AP-REQ/AP-REP exchange. In infrastructure mode (proxied or
otherwise), neither the client nor server need to implement any
callbacks (this will likely change later, to allow a server to
authorize users, similar to the GSSAPI callback).

6 Global Functions

gsasl_init

— Function: int gsasl_init (Gsasl ** ctx)

ctx: pointer to libgsasl handle.

This functions initializes libgsasl. The handle pointed to by ctx
is valid for use with other libgsasl functions iff this function is
successful. It also register all builtin SASL mechanisms, using
gsasl_register().

Return value: GSASL_OK iff successful, otherwise
GSASL_MALLOC_ERROR.

gsasl_done

— Function: void gsasl_done (Gsasl * ctx)

ctx: libgsasl handle.

This function destroys a libgsasl handle. The handle must not be
used with other libgsasl functions after this call.

gsasl_client_mechlist

— Function: int gsasl_client_mechlist (Gsasl * ctx, char ** out)

ctx: libgsasl handle.

out: newly allocated output character array.

Return a newly allocated string containing SASL names, separated by
space, of mechanisms supported by the libgsasl client. out is
allocated by this function, and it is the responsibility of caller
to deallocate it.

Return value: Returns GSASL_OK if successful, or error code.

gsasl_server_mechlist

— Function: int gsasl_server_mechlist (Gsasl * ctx, char ** out)

ctx: libgsasl handle.

out: newly allocated output character array.

Return a newly allocated string containing SASL names, separated by
space, of mechanisms supported by the libgsasl server. out is
allocated by this function, and it is the responsibility of caller
to deallocate it.

7 Callback Functions

The callback is used by mechanisms to retrieve information, such as
username and password, from the application. In a server, the
callback is used to decide whether a user is permitted to log in or
not. You tell the library of your callback function by calling
gsasl_callback_set.

Since your callback may need access to data from other parts of your
application, there are hooks to store and retrieve application
specific pointers. This avoids the use of global variables, which
wouldn't be thread safe. You store a pointer to some information
(opaque from the point of view of the library) by calling
gsasl_callback_hook_set and can later retrieve this data in
your callback by calling gsasl_callback_hook_get.

gsasl_callback_set

Store the pointer to the application provided callback in the
library handle. The callback will be used, via gsasl_callback(),
by mechanisms to discover various parameters (such as username and
passwords). The callback function will be called with a
Gsasl_property value indicating the requested behaviour. For
example, for GSASL_ANONYMOUS_TOKEN, the function is expected to
invoke gsasl_property_set(CTX, GSASL_ANONYMOUS_TOKEN, "token")
where "token" is the anonymous token the application wishes the
SASL mechanism to use. See the manual for the meaning of all
parameters.

gsasl_callback

ctx: handle received from gsasl_init(), may be NULL to derive it
from sctx.

sctx: session handle.

prop: enumerated value of Gsasl_property type.

Invoke the application callback. The prop value indicate what the
callback is expected to do. For example, for
GSASL_ANONYMOUS_TOKEN, the function is expected to invoke
gsasl_property_set(SCTX, GSASL_ANONYMOUS_TOKEN, "token") where
"token" is the anonymous token the application wishes the SASL
mechanism to use. See the manual for the meaning of all
parameters.

Note that if no callback has been set by the application, but the
obsolete callback interface has been used, this function will
translate the old callback interface into the new. This interface
should be sufficient to invoke all callbacks, both new and old.

Return value: Returns whatever the application callback returns, or
GSASL_NO_CALLBACK if no application was known.

Since: 0.2.0

gsasl_callback_hook_set

— Function: void gsasl_callback_hook_set (Gsasl * ctx, void * hook)

ctx: libgsasl handle.

hook: opaque pointer to application specific data.

Store application specific data in the libgsasl handle.

The application data can be later (for instance, inside a callback)
be retrieved by calling gsasl_callback_hook_get(). This is
normally used by the application to maintain a global state between
the main program and callbacks.

Since: 0.2.0

gsasl_callback_hook_get

— Function: void * gsasl_callback_hook_get (Gsasl * ctx)

ctx: libgsasl handle.

Retrieve application specific data from libgsasl handle.

The application data is set using gsasl_callback_hook_set(). This
is normally used by the application to maintain a global state
between the main program and callbacks.

The application data can be later (for instance, inside a callback)
be retrieved by calling gsasl_session_hook_get(). This is normally
used by the application to maintain a per-session state between the
main program and callbacks.

Since: 0.2.14

gsasl_session_hook_get

— Function: void * gsasl_session_hook_get (Gsasl_session * sctx)

sctx: libgsasl session handle.

Retrieve application specific data from libgsasl session handle.

The application data is set using gsasl_callback_hook_set(). This
is normally used by the application to maintain a per-session state
between the main program and callbacks.

gsasl_property_get

prop: enumerated value of Gsasl_property type, indicating the
type of data in data.

Retrieve the data stored in the session handle for given property
prop, possibly invoking the application callback to get the value.

The pointer is to live data, and must not be deallocated or
modified in any way.

This function will invoke the application callback, using
gsasl_callback(), when a property value is not known.

If no value is known, and no callback is specified or if the
callback fail to return data, and if any obsolete callback
functions has been set by the application, this function will try
to call these obsolete callbacks, and store the returned data as
the corresponding property. This behaviour of this function will
be removed when the obsolete callback interfaces are removed.

Perform one step of SASL authentication. This reads data from the
other end (from input and input_len), processes it (potentially
invoking callbacks to the application), and writes data to server
(into newly allocated variable output and output_len that
indicate the length of output).

The contents of the output buffer is unspecified if this functions
returns anything other than GSASL_OK or GSASL_NEEDS_MORE. If
this function return GSASL_OK or GSASL_NEEDS_MORE, however, the
output buffer is allocated by this function, and it is the
responsibility of caller to deallocate it by calling free
(output).

This is a simple wrapper around gsasl_step() that base64 decodes
the input and base64 encodes the output.

The contents of the b64output buffer is unspecified if this
functions returns anything other than GSASL_OK or
GSASL_NEEDS_MORE. If this function return GSASL_OK or
GSASL_NEEDS_MORE, however, the b64output buffer is allocated by
this function, and it is the responsibility of caller to deallocate
it by calling free (b64output).

Retrieve password for user from specified file. The buffer key
contain the password if this function is successful. The caller is
responsible for deallocating it.

The file should be on the UoW "MD5 Based Authentication" format,
which means it is in text format with comments denoted by # first
on the line, with user entries looking as "usernameTABpassword".
This function removes CR and LF at the end of lines before
processing. TAB, CR, and LF denote ASCII values 9, 13, and 10,
respectively.

Return value: Return GSASL_OK if output buffer contains the
password, GSASL_AUTHENTICATION_ERROR if the user could not be
found, or other error code.

gsasl_nonce

— Function: int gsasl_nonce (char * data, size_t datalen)

data: output array to be filled with unpredictable random data.

datalen: size of output array.

Store unpredictable data of given size in the provided buffer.

Return value: Returns GSASL_OK iff successful.

gsasl_random

— Function: int gsasl_random (char * data, size_t datalen)

data: output array to be filled with strong random data.

datalen: size of output array.

Store cryptographically strong random data of given size in the
provided buffer.

11 Memory Handling

gsasl_free

— Function: void gsasl_free (void * ptr)

ptr: memory pointer

Invoke free(ptr) to de-allocate memory pointer. Typically used on
strings allocated by other libgsasl functions.

This is useful on Windows where libgsasl is linked to one CRT and
the application is linked to another CRT. Then malloc/free will
not use the same heap. This happens if you build libgsasl using
mingw32 and the application with Visual Studio.

12 Error Handling

Most functions in the GNU SASL Library return an error if they fail.
For this reason, the application should always catch the error
condition and take appropriate measures, for example by releasing the
resources and passing the error up to the caller, or by displaying a
descriptive message to the user and cancelling the operation.

Some error values do not indicate a system error or an error in the
operation, but the result of an operation that failed properly.

12.1 Error values

Errors are returned as int values.

The value of the symbol GSASL_OK is guaranteed to always be
0, and all other error codes are guaranteed to be non-0,
so you may use that information to build boolean expressions involving
return codes. Otherwise, an application should not depend on the
particular value for error codes, and are encouraged to use the
constants even for GSASL_OK to improve readability. Possible
values are:

14 Acknowledgements

The makefiles, manuals, etc borrowed much from Libgcrypt written by
Werner Koch.

Cryptographic functions for some SASL mechanisms uses Libgcrypt by
Werner Koch et al. The NTLM mechanism uses Libntlm by Grant Edwards
et al, using code from Samba written by Andrew Tridgell, and now
maintained by Simon Josefsson. The KERBEROS_V5 mechanism uses Shishi
by Simon Josefsson. The GSSAPI and GS2-KRB5 mechanism uses a GSS-API
implementation, such as GNU GSS by Simon Josefsson.

15 Invoking gsasl

Name

Description

Mandatory or optional arguments to long options are also mandatory or
optional for any corresponding short options.

Commands

gsasl recognizes these commands:

-c, --client Act as client (the default).
--client-mechanisms Write name of supported client mechanisms
separated by space to stdout.
-s, --server Act as server.
--server-mechanisms Write name of supported server mechanisms
separated by space to stdout.

Network Options

Normally the SASL negotiation is performed on the terminal, with
reading from stdin and writing to stdout. It is also possible to
perform the negotiation with a server over a TCP network connection.

--connect=HOSTNAME[:SERVICE]
Connect to TCP server and negotiate on stream
instead of stdin/stdout. SERVICE is the protocol
service, or an integer denoting the port, and
defaults to 143 (imap) if not specified. Also sets
the --hostname default.

Miscellaneous Options:

These parameters affect overall behaviour.

-d, --application-data After authentication, read data from stdin and run
it through the mechanism's security layer and
print it base64 encoded to stdout. The default is
to terminate after authentication.
--imap Use a IMAP-like logon procedure (client only).
Also sets the --service default to "imap".
-m, --mechanism=STRING Mechanism to use.
--no-client-first Disallow client to send data first (client only).

SASL Mechanism Options

These options modify the behaviour of the callbacks (see Callback Functions) in the library. The default is to query the user on the
terminal.

-n, --anonymous-token=STRING Token for anonymous authentication, usually
mail address (ANONYMOUS only).
-a, --authentication-id=STRING Identity of credential owner.
-z, --authorization-id=STRING Identity to request service for.
--disable-cleartext-validate
Disable cleartext validate hook, forcing server to
prompt for password.
--enable-cram-md5-validate Validate CRAM-MD5 challenge and response
interactively.
--hostname=STRING Set the name of the server with the requested
service.
-p, --password=STRING Password for authentication (insecure for
non-testing purposes).
--passcode=NUMBER Passcode for authentication (SECURID only).
--quality-of-protection=<qop-auth | qop-int | qop-conf>
How application payload will be protected.
"qop-auth" means no protection,
"qop-int" means integrity protection,
"qop-conf" means confidentiality.
Currently only used by DIGEST-MD5, where the
default is "qop-int".
-r, --realm=STRING Realm. Defaults to hostname.
--service=STRING Set the requested service name (should be a
registered GSSAPI host based service name).
--service-name=STRING Set the generic server name in case of a
replicated server (DIGEST-MD5 only).
-x, --maxbuf=NUMBER Indicate maximum buffer size (DIGEST-MD5 only).

STARTTLS options

--starttls Force use of STARTTLS. The default is to use
STARTTLS when available. (default=off)
--no-starttls Unconditionally disable STARTTLS.
(default=off)
--no-cb Don't set any channel bindings. (default=off)
--x509-ca-file=FILE File containing one or more X.509 Certificate
Authorities certificates in PEM format, used
to verify the certificate received from the
server. If not specified, no verification of
the remote server certificate will be done.
--x509-cert-file=FILE File containing client X.509 certificate in PEM
format. Used together with --x509-key-file
to specify the certificate/key pair.
--x509-key-file=FILE Private key for the client X.509 certificate in
PEM format. Used together with
--x509-key-file to specify the
certificate/key pair.
--priority Cipher priority string.

Appendix A Protocol Clarifications

This appendix contains clarifications to various SASL specification
that we felt were necessary to include, if for nothing else it may
serve as a guide for other implementers that worry about the same
issues.

A.1 Use of SASLprep in CRAM-MD5

The specification, as of draft-ietf-sasl-crammd5-04.txt, is
silent on whether a SASL server implementation applying SASLprep on a
password received from an external, non-SASL specific database (i.e.,
the passwords are not stored in SASLprep form in the database), should
set or clear the AllowUnassigned bit. The motivation for the AU-bit
in StringPrep/SASLprep is for stored vs query strings. It could be
argued that in this situation the server can treat the external
password either as a stored string (from a database) or as a query
(the server uses the string as a query into the fixed HMAC-MD5 hash).

The specification is also unclear on whether clients should set or
clear the AllowUnassigned flag.

In the server, GNU SASL applies SASLprep to the password with the
AllowUnassigned bit cleared.

A.2 Use of SASLprep in LOGIN

The non-standard mechanism LOGIN presumably does not support
non-ASCII. We suggest that the client should send unprepared UTF-8
and that the server apply SASLprep with the AllowUnassigned bit
cleared on the received username and password.

Appendix B Old Functions

As GNU SASL is still under heavy development, some API functions have
been found to be less useful. Those old API functions will be
supported during a transition period. Refer to the NEWS file to find
out since when a function has been deprecated.

Perform one step of SASL authentication in client. This reads data
from server (specified with input and input_len), processes it
(potentially invoking callbacks to the application), and writes
data to server (into variables output and output_len).

The contents of the output buffer is unspecified if this functions
returns anything other than GSASL_NEEDS_MORE.

Perform one step of SASL authentication in server. This reads data
from client (specified with input and input_len), processes it
(potentially invoking callbacks to the application), and writes
data to client (into variables output and output_len).

The contents of the output buffer is unspecified if this functions
returns anything other than GSASL_NEEDS_MORE.

gsasl_client_application_data_set

Store application specific data in the libgsasl client handle. The
application data can be later (for instance, inside a callback) be
retrieved by calling gsasl_client_application_data_get(). It is
normally used by the application to maintain state between the main
program and the callback.

Deprecated: Use gsasl_callback_hook_set() or
gsasl_session_hook_set() instead.

gsasl_client_application_data_get

Retrieve application specific data from libgsasl client handle. The
application data is set using gsasl_client_application_data_set().
It is normally used by the application to maintain state between
the main program and the callback.

Return value: Returns the application specific data, or NULL.

Deprecated: Use gsasl_callback_hook_get() or
gsasl_session_hook_get() instead.

gsasl_server_application_data_set

Store application specific data in the libgsasl server handle. The
application data can be later (for instance, inside a callback) be
retrieved by calling gsasl_server_application_data_get(). It is
normally used by the application to maintain state between the main
program and the callback.

Deprecated: Use gsasl_callback_hook_set() or
gsasl_session_hook_set() instead.

gsasl_server_application_data_get

Retrieve application specific data from libgsasl server handle. The
application data is set using gsasl_server_application_data_set().
It is normally used by the application to maintain state between
the main program and the callback.

Return value: Returns the application specific data, or NULL.

Deprecated: Use gsasl_callback_hook_get() or
gsasl_session_hook_get() instead.

gsasl_application_data_set

Store application specific data in the libgsasl handle. The
application data can be later (for instance, inside a callback) be
retrieved by calling gsasl_application_data_get(). It is normally
used by the application to maintain state between the main program
and the callback.

Deprecated: Use gsasl_callback_hook_set() instead.

gsasl_application_data_get

— Function: void * gsasl_application_data_get (Gsasl * ctx)

ctx: libgsasl handle.

Retrieve application specific data from libgsasl handle. The
application data is set using gsasl_application_data_set(). It is
normally used by the application to maintain state between the main
program and the callback.

Return value: Returns the application specific data, or NULL.

Deprecated: Use gsasl_callback_hook_get() instead.

gsasl_appinfo_set

Store application specific data in the libgsasl session handle.
The application data can be later (for instance, inside a callback)
be retrieved by calling gsasl_appinfo_get(). It is normally used
by the application to maintain state between the main program and
the callback.

Deprecated: Use gsasl_callback_hook_set() instead.

gsasl_appinfo_get

— Function: void * gsasl_appinfo_get (Gsasl_session * sctx)

sctx: libgsasl session handle.

Retrieve application specific data from libgsasl session
handle. The application data is set using gsasl_appinfo_set(). It
is normally used by the application to maintain state between the
main program and the callback.

gsasl_client_callback_authentication_id_set

Specify the callback function to use in the client to set the
authentication identity. The function can be later retrieved using
gsasl_client_callback_authentication_id_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_authentication_id_get

Get the callback earlier set by calling
gsasl_client_callback_authentication_id_set().

Return value: Returns the callback earlier set by calling
gsasl_client_callback_authentication_id_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_authorization_id_set

Specify the callback function to use in the client to set the
authorization identity. The function can be later retrieved using
gsasl_client_callback_authorization_id_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_authorization_id_get

Get the callback earlier set by calling
gsasl_client_callback_authorization_id_set().

Return value: Returns the callback earlier set by calling
gsasl_client_callback_authorization_id_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_password_set

Specify the callback function to use in the client to set the
password. The function can be later retrieved using
gsasl_client_callback_password_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_password_get

Get the callback earlier set by calling
gsasl_client_callback_password_set().

Return value: Returns the callback earlier set by calling
gsasl_client_callback_password_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_passcode_set

Specify the callback function to use in the client to set the
passcode. The function can be later retrieved using
gsasl_client_callback_passcode_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_passcode_get

Get the callback earlier set by calling
gsasl_client_callback_passcode_set().

Return value: Returns the callback earlier set by calling
gsasl_client_callback_passcode_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_pin_set

Specify the callback function to use in the client to chose a new
pin, possibly suggested by the server, for the SECURID mechanism.
This is not normally invoked, but only when the server requests it.
The function can be later retrieved using
gsasl_client_callback_pin_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_pin_get

Get the callback earlier set by calling
gsasl_client_callback_pin_set().

Return value: Returns the callback earlier set by calling
gsasl_client_callback_pin_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_service_set

Specify the callback function to use in the client to set the name
of the service. The service buffer should be a registered GSSAPI
host-based service name, hostname the name of the server.
Servicename is used by DIGEST-MD5 and should be the name of generic
server in case of a replicated service. The function can be later
retrieved using gsasl_client_callback_service_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_service_get

Get the callback earlier set by calling
gsasl_client_callback_service_set().

Return value: Returns the callback earlier set by calling
gsasl_client_callback_service_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_anonymous_set

Specify the callback function to use in the client to set the
anonymous token, which usually is the users email address. The
function can be later retrieved using
gsasl_client_callback_anonymous_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_anonymous_get

Get the callback earlier set by calling
gsasl_client_callback_anonymous_set().

Return value: Returns the callback earlier set by calling
gsasl_client_callback_anonymous_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_qop_set

Specify the callback function to use in the client to determine the
qop to use after looking at what the server offered. The function
can be later retrieved using gsasl_client_callback_qop_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_qop_get

Get the callback earlier set by calling
gsasl_client_callback_qop_set().

Return value: Returns the callback earlier set by calling
gsasl_client_callback_qop_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_maxbuf_set

Specify the callback function to use in the client to inform the
server of the largest buffer the client is able to receive when
using the DIGEST-MD5 "auth-int" or "auth-conf" Quality of
Protection (qop). If this directive is missing, the default value
65536 will be assumed. The function can be later retrieved using
gsasl_client_callback_maxbuf_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_maxbuf_get

Get the callback earlier set by calling
gsasl_client_callback_maxbuf_set().

Return value: Returns the callback earlier set by calling
gsasl_client_callback_maxbuf_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_realm_set

Specify the callback function to use in the client to know which
realm it belongs to. The realm is used by the server to determine
which username and password to use. The function can be later
retrieved using gsasl_client_callback_realm_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_client_callback_realm_get

Get the callback earlier set by calling
gsasl_client_callback_realm_set().

Return value: Returns the callback earlier set by calling
gsasl_client_callback_realm_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_validate_set

Specify the callback function to use in the server for deciding if
user is authenticated using authentication identity, authorization
identity and password. The function can be later retrieved using
gsasl_server_callback_validate_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_validate_get

Get the callback earlier set by calling
gsasl_server_callback_validate_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_validate_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_retrieve_set

Specify the callback function to use in the server for deciding if
user is authenticated using authentication identity, authorization
identity and password. The function can be later retrieved using
gsasl_server_callback_retrieve_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_retrieve_get

Get the callback earlier set by calling
gsasl_server_callback_retrieve_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_retrieve_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_cram_md5_set

Specify the callback function to use in the server for deciding if
user is authenticated using CRAM-MD5 challenge and response. The
function can be later retrieved using
gsasl_server_callback_cram_md5_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_cram_md5_get

Get the callback earlier set by calling
gsasl_server_callback_cram_md5_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_cram_md5_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_digest_md5_set

Specify the callback function to use in the server for retrieving
the secret hash of the username, realm and password for use in the
DIGEST-MD5 mechanism. The function can be later retrieved using
gsasl_server_callback_digest_md5_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_digest_md5_get

Get the callback earlier set by calling
gsasl_server_callback_digest_md5_set().

Return value: Return the callback earlier set by calling
gsasl_server_callback_digest_md5_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_external_set

Specify the callback function to use in the server for deciding if
user is authenticated out of band. The function can be later
retrieved using gsasl_server_callback_external_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_external_get

Get the callback earlier set by calling
gsasl_server_callback_external_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_external_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_anonymous_set

Specify the callback function to use in the server for deciding if
user is permitted anonymous access. The function can be later
retrieved using gsasl_server_callback_anonymous_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_anonymous_get

Get the callback earlier set by calling
gsasl_server_callback_anonymous_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_anonymous_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_realm_set

Specify the callback function to use in the server to know which
realm it serves. The realm is used by the user to determine which
username and password to use. The function can be later retrieved
using gsasl_server_callback_realm_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_realm_get

Get the callback earlier set by calling
gsasl_server_callback_realm_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_realm_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_qop_set

Specify the callback function to use in the server to know which
quality of protection it accepts. The quality of protection
eventually used is selected by the client though. It is currently
used by the DIGEST-MD5 mechanism. The function can be later
retrieved using gsasl_server_callback_qop_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_qop_get

Get the callback earlier set by calling
gsasl_server_callback_qop_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_qop_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_maxbuf_set

Specify the callback function to use in the server to inform the
client of the largest buffer the server is able to receive when
using the DIGEST-MD5 "auth-int" or "auth-conf" Quality of
Protection (qop). If this directive is missing, the default value
65536 will be assumed. The function can be later retrieved using
gsasl_server_callback_maxbuf_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_maxbuf_get

Get the callback earlier set by calling
gsasl_server_callback_maxbuf_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_maxbuf_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_cipher_set

Specify the callback function to use in the server to inform the
client of the cipher suites supported. The DES and 3DES ciphers
must be supported for interoperability. It is currently used by
the DIGEST-MD5 mechanism. The function can be later retrieved
using gsasl_server_callback_cipher_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_cipher_get

Get the callback earlier set by calling
gsasl_server_callback_cipher_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_cipher_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_securid_set

Specify the callback function to use in the server for validating a
user via the SECURID mechanism. The function should return
GSASL_OK if user authenticated successfully,
GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE if it wants another
passcode, GSASL_SECURID_SERVER_NEED_NEW_PIN if it wants a PIN
change, or an error. When (and only when)
GSASL_SECURID_SERVER_NEED_NEW_PIN is returned, suggestpin can be
populated with a PIN code the server suggests, and suggestpinlen
set to the length of the PIN. The function can be later retrieved
using gsasl_server_callback_securid_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_securid_get

Get the callback earlier set by calling
gsasl_server_callback_securid_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_securid_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_gssapi_set

Specify the callback function to use in the server for checking if
a GSSAPI user is authorized for username (by, e.g., calling
krb5_kuserok). The function should return GSASL_OK if the user
should be permitted access, or an error code such as
GSASL_AUTHENTICATION_ERROR on failure. The function can be later
retrieved using gsasl_server_callback_gssapi_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_gssapi_get

Get the callback earlier set by calling
gsasl_server_callback_gssapi_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_gssapi_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_service_set

Specify the callback function to use in the server to set the name
of the service. The service buffer should be a registered GSSAPI
host-based service name, hostname the name of the server. The
function can be later retrieved using
gsasl_server_callback_service_get().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_server_callback_service_get

Get the callback earlier set by calling
gsasl_server_callback_service_set().

Return value: Returns the callback earlier set by calling
gsasl_server_callback_service_set().

Deprecated: This function is part of the old callback interface.
The new interface uses gsasl_callback_set() to set the application
callback, and uses gsasl_callback() or gsasl_property_get() to
invoke the callback for certain properties.

gsasl_stringprep_nfkc

Converts a string into canonical form, standardizing such issues as
whether a character with an accent is represented as a base
character and combining accent or as a single precomposed
character.

The normalization mode is NFKC (ALL COMPOSE). It standardizes
differences that do not affect the text content, such as the
above-mentioned accent representation. It standardizes the
"compatibility" characters in Unicode, such as SUPERSCRIPT THREE to
the standard forms (in this case DIGIT THREE). Formatting
information may be lost but for most text operations such
characters should be considered the same. It returns a result with
composed forms rather than a maximally decomposed form.

Return value: Return a newly allocated string, that is the NFKC
normalized form of str, or NULL on error.

Deprecated: No replacement functionality in GNU SASL, use GNU
Libidn instead. Note that in SASL, you most likely want to use
SASLprep and not bare NFKC, see gsasl_saslprep().

gsasl_stringprep_saslprep

in: input ASCII or UTF-8 string with data to prepare according to SASLprep.

stringprep_rc: pointer to output variable with stringprep error code,
or NULL to indicate that you don't care about it.

Process a Unicode string for comparison, according to the
"SASLprep" stringprep profile. This function is intended to be
used by Simple Authentication and Security Layer (SASL) mechanisms
(such as PLAIN, CRAM-MD5, and DIGEST-MD5) as well as other
protocols exchanging user names and/or passwords.

Return value: Return a newly allocated string that is the
"SASLprep" processed form of the input string, or NULL on error,
in which case stringprep_rc contain the stringprep library error
code.

Retrieve password for user from specified file. To find out how
large the output array must be, call this function with out=NULL.

The file should be on the UoW "MD5 Based Authentication" format,
which means it is in text format with comments denoted by # first
on the line, with user entries looking as "usernameTABpassword".
This function removes CR and LF at the end of lines before
processing. TAB, CR, and LF denote ASCII values 9, 13, and 10,
respectively.

Return value: Return GSASL_OK if output buffer contains the
password, GSASL_AUTHENTICATION_ERROR if the user could not be
found, or other error code.

B.1 Obsolete callback function prototypes

outlen: on input the maximum size of the output array, on output
contains the actual size of the output array.

Type of callback function the application implements. It should
populate the output array with some input from the user and set the
output array length, and return GSASL_OK, or fail with an error
code.

If OUT is NULL, the function should only populate the output length
field with the length, and return GSASL_OK. This usage may be used by
the caller to allocate the proper buffer size.

outlen: on input the maximum size of the output array, on output
contains the actual size of the output array.

Type of callback function the application implements. It should
populate the output array with authentiction identity of user and set
the output array length, and return GSASL_OK, or fail with an
error code. The authentication identity must be encoded in UTF-8, but
need not be normalized in any way.

If OUT is NULL, the function should only populate the output length
field with the length, and return GSASL_OK. This usage may be used by
the caller to allocate the proper buffer size.

outlen: on input the maximum size of the output array, on output
contains the actual size of the output array.

Type of callback function the application implements. It should
populate the output array with authorization identity of user and set
the output array length, and return GSASL_OK, or fail with an
error code. The authorization identity must be encoded in UTF-8, but
need not be normalized in any way.

If OUT is NULL, the function should only populate the output length
field with the length, and return GSASL_OK. This usage may be used by
the caller to allocate the proper buffer size.

servicelen: on input the maximum size of the service output array,
on output contains the actual size of the service output array.

hostname: output array with hostname of server.

hostnamelen: on input the maximum size of the hostname output
array, on output contains the actual size of the hostname output
array.

servicename: output array with generic name of server in case of
replication (DIGEST-MD5 only).

servicenamelen: on input the maximum size of the servicename
output array, on output contains the actual size of the servicename
output array.

Type of callback function the application implements. It should
retrieve the service (which should be a registered GSSAPI host based
service name, such as “imap”) on the server, hostname of server
(usually canoncial DNS hostname) and optionally generic service name
of server in case of replication (e.g. “mail.example.org” when the
hostname is “mx42.example.org”, see the RFC 2831 for more
information). It should return GSASL_OK, or an error such as
GSASL_AUTHENTICATION_ERROR if it fails.

If SERVICE, HOSTNAME or SERVICENAME is NULL, the function should only
populate SERVICELEN, HOSTNAMELEN or SERVICENAMELEN with the output
length of the respective field, and return GSASL_OK. This usage may
be used by the caller to allocate the proper buffer size.
Furthermore, SERVICENAMELEN may also be NULL, indicating that the
mechanism is not interested in this field.

Type of callback function the application implements. It should
return GSASL_OK if and only if the validation of the provided
credential was succesful. GSASL_AUTHENTICATION_ERROR is a good
failure if authentication failed, but any available return code may be
used.

secrethash: output array that should contain hash of username,
realm and password as described for the DIGEST-MD5 mechanism.

Type of callback function the application implements. It should
retrieve the secret hash for the given user in given realm and return
GSASL_OK, or an error such as GSASL_AUTHENTICATION_ERROR if it fails.
The secrethash buffer is guaranteed to have size for the fixed length
MD5 hash.

Type of callback function the application implements. It should
return GSASL_OK if and only if the GSSAPI user is authorized to log on
as the given authentication_id. GSASL_AUTHENTICATION_ERROR is a good
failure if authentication failed, but any available return code may be
used. This callback is usually implemented in the application as a
call to krb5_kuserok(), such as:

outlen: on input the maximum size of the output array, on output
contains the actual size of the output array.

Type of callback function the application implements. It should
populate the output array with password of user and set the output
array length, and return GSASL_OK, or fail with an error
code. The password must be encoded in UTF-8, but need not be
normalized in any way.

If OUT is NULL, the function should only populate the output length
field with the length, and return GSASL_OK. This usage may be used by
the caller to allocate the proper buffer size.

keylen: on input the maximum size of the key output array, on
output contains the actual size of the key output array.

Type of callback function the application implements. It should
retrieve the password for the indicated user and return GSASL_OK, or
an error code such as GSASL_AUTHENTICATION_ERROR. The key must be
encoded in UTF-8, but need not be normalized in any way.

If KEY is NULL, the function should only populate the KEYLEN output
length field with the length, and return GSASL_OK. This usage may be
used by the caller to allocate the proper buffer size.

suggestpinlen: on input the maximum size of the output array, on
output contains the actual size of the output array.

Type of callback function the application implements. It should
return GSASL_OK if and only if the validation of the provided
credential was succesful. GSASL_AUTHENTICATION_ERROR is a good
failure if authentication failed, but any available return code may be
used.

Two SECURID specific error codes also exists. The function can return
GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE to request that the
client generate a new passcode. It can also return
GSASL_SECURID_SERVER_NEED_NEW_PIN to request that the client generate
a new PIN. If the server wishes to suggest a new PIN it can populate
the SUGGESTPIN field.

If SUGGESTPIN is NULL, the function should only populate the output
length field with the length, and return GSASL_OK. This usage may be
used by the caller to allocate the proper buffer size.

servicelen: on input the maximum size of the service output array,
on output contains the actual size of the service output array.

hostname: output array with hostname of server.

hostnamelen: on input the maximum size of the hostname output
array, on output contains the actual size of the hostname output
array.

Type of callback function the application implements. It should
retrieve the service (which should be a registered GSSAPI host based
service name, such as “imap”) the server provides and hostname of
server (usually canoncial DNS hostname). It should return GSASL_OK,
or an error such as GSASL_AUTHENTICATION_ERROR if it fails.

If SERVICE or HOSTNAME is NULL, the function should only populate
SERVICELEN or HOSTNAMELEN with the output length of the respective
field, and return GSASL_OK. This usage may be used by the caller to
allocate the proper buffer size.

Type of callback function the application implements. It should
return GSASL_OK if and only if the validation of the provided
credential was succesful. GSASL_AUTHENTICATION_ERROR is a good
failure if authentication failed, but any available return code may be
used.

The purpose of this License is to make a manual, textbook, or other
functional and useful document free in the sense of freedom: to
assure everyone the effective freedom to copy and redistribute it,
with or without modifying it, either commercially or noncommercially.
Secondarily, this License preserves for the author and publisher a way
to get credit for their work, while not being considered responsible
for modifications made by others.

This License is a kind of “copyleft”, which means that derivative
works of the document must themselves be free in the same sense. It
complements the GNU General Public License, which is a copyleft
license designed for free software.

We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free
program should come with manuals providing the same freedoms that the
software does. But this License is not limited to software manuals;
it can be used for any textual work, regardless of subject matter or
whether it is published as a printed book. We recommend this License
principally for works whose purpose is instruction or reference.

APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that
contains a notice placed by the copyright holder saying it can be
distributed under the terms of this License. Such a notice grants a
world-wide, royalty-free license, unlimited in duration, to use that
work under the conditions stated herein. The “Document”, below,
refers to any such manual or work. Any member of the public is a
licensee, and is addressed as “you”. You accept the license if you
copy, modify or distribute the work in a way requiring permission
under copyright law.

A “Modified Version” of the Document means any work containing the
Document or a portion of it, either copied verbatim, or with
modifications and/or translated into another language.

A “Secondary Section” is a named appendix or a front-matter section
of the Document that deals exclusively with the relationship of the
publishers or authors of the Document to the Document's overall
subject (or to related matters) and contains nothing that could fall
directly within that overall subject. (Thus, if the Document is in
part a textbook of mathematics, a Secondary Section may not explain
any mathematics.) The relationship could be a matter of historical
connection with the subject or with related matters, or of legal,
commercial, philosophical, ethical or political position regarding
them.

The “Invariant Sections” are certain Secondary Sections whose titles
are designated, as being those of Invariant Sections, in the notice
that says that the Document is released under this License. If a
section does not fit the above definition of Secondary then it is not
allowed to be designated as Invariant. The Document may contain zero
Invariant Sections. If the Document does not identify any Invariant
Sections then there are none.

The “Cover Texts” are certain short passages of text that are listed,
as Front-Cover Texts or Back-Cover Texts, in the notice that says that
the Document is released under this License. A Front-Cover Text may
be at most 5 words, and a Back-Cover Text may be at most 25 words.

A “Transparent” copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the
general public, that is suitable for revising the document
straightforwardly with generic text editors or (for images composed of
pixels) generic paint programs or (for drawings) some widely available
drawing editor, and that is suitable for input to text formatters or
for automatic translation to a variety of formats suitable for input
to text formatters. A copy made in an otherwise Transparent file
format whose markup, or absence of markup, has been arranged to thwart
or discourage subsequent modification by readers is not Transparent.
An image format is not Transparent if used for any substantial amount
of text. A copy that is not “Transparent” is called “Opaque”.

Examples of suitable formats for Transparent copies include plain
ASCII without markup, Texinfo input format, LaTeX input
format, SGML or XML using a publicly available
DTD, and standard-conforming simple HTML,
PostScript or PDF designed for human modification. Examples
of transparent image formats include PNG, XCF and
JPG. Opaque formats include proprietary formats that can be
read and edited only by proprietary word processors, SGML or
XML for which the DTD and/or processing tools are
not generally available, and the machine-generated HTML,
PostScript or PDF produced by some word processors for
output purposes only.

The “Title Page” means, for a printed book, the title page itself,
plus such following pages as are needed to hold, legibly, the material
this License requires to appear in the title page. For works in
formats which do not have any title page as such, “Title Page” means
the text near the most prominent appearance of the work's title,
preceding the beginning of the body of the text.

The “publisher” means any person or entity that distributes copies
of the Document to the public.

A section “Entitled XYZ” means a named subunit of the Document whose
title either is precisely XYZ or contains XYZ in parentheses following
text that translates XYZ in another language. (Here XYZ stands for a
specific section name mentioned below, such as “Acknowledgements”,
“Dedications”, “Endorsements”, or “History”.) To “Preserve the Title”
of such a section when you modify the Document means that it remains a
section “Entitled XYZ” according to this definition.

The Document may include Warranty Disclaimers next to the notice which
states that this License applies to the Document. These Warranty
Disclaimers are considered to be included by reference in this
License, but only as regards disclaiming warranties: any other
implication that these Warranty Disclaimers may have is void and has
no effect on the meaning of this License.

VERBATIM COPYING

You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and the license notice saying this License applies
to the Document are reproduced in all copies, and that you add no other
conditions whatsoever to those of this License. You may not use
technical measures to obstruct or control the reading or further
copying of the copies you make or distribute. However, you may accept
compensation in exchange for copies. If you distribute a large enough
number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and
you may publicly display copies.

COPYING IN QUANTITY

If you publish printed copies (or copies in media that commonly have
printed covers) of the Document, numbering more than 100, and the
Document's license notice requires Cover Texts, you must enclose the
copies in covers that carry, clearly and legibly, all these Cover
Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on
the back cover. Both covers must also clearly and legibly identify
you as the publisher of these copies. The front cover must present
the full title with all words of the title equally prominent and
visible. You may add other material on the covers in addition.
Copying with changes limited to the covers, as long as they preserve
the title of the Document and satisfy these conditions, can be treated
as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit
legibly, you should put the first ones listed (as many as fit
reasonably) on the actual cover, and continue the rest onto adjacent
pages.

If you publish or distribute Opaque copies of the Document numbering
more than 100, you must either include a machine-readable Transparent
copy along with each Opaque copy, or state in or with each Opaque copy
a computer-network location from which the general network-using
public has access to download using public-standard network protocols
a complete Transparent copy of the Document, free of added material.
If you use the latter option, you must take reasonably prudent steps,
when you begin distribution of Opaque copies in quantity, to ensure
that this Transparent copy will remain thus accessible at the stated
location until at least one year after the last time you distribute an
Opaque copy (directly or through your agents or retailers) of that
edition to the public.

It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give
them a chance to provide you with an updated version of the Document.

MODIFICATIONS

You may copy and distribute a Modified Version of the Document under
the conditions of sections 2 and 3 above, provided that you release
the Modified Version under precisely this License, with the Modified
Version filling the role of the Document, thus licensing distribution
and modification of the Modified Version to whoever possesses a copy
of it. In addition, you must do these things in the Modified Version:

Use in the Title Page (and on the covers, if any) a title distinct
from that of the Document, and from those of previous versions
(which should, if there were any, be listed in the History section
of the Document). You may use the same title as a previous version
if the original publisher of that version gives permission.

List on the Title Page, as authors, one or more persons or entities
responsible for authorship of the modifications in the Modified
Version, together with at least five of the principal authors of the
Document (all of its principal authors, if it has fewer than five),
unless they release you from this requirement.

State on the Title page the name of the publisher of the
Modified Version, as the publisher.

Preserve all the copyright notices of the Document.

Add an appropriate copyright notice for your modifications
adjacent to the other copyright notices.

Include, immediately after the copyright notices, a license notice
giving the public permission to use the Modified Version under the
terms of this License, in the form shown in the Addendum below.

Preserve in that license notice the full lists of Invariant Sections
and required Cover Texts given in the Document's license notice.

Include an unaltered copy of this License.

Preserve the section Entitled “History”, Preserve its Title, and add
to it an item stating at least the title, year, new authors, and
publisher of the Modified Version as given on the Title Page. If
there is no section Entitled “History” in the Document, create one
stating the title, year, authors, and publisher of the Document as
given on its Title Page, then add an item describing the Modified
Version as stated in the previous sentence.

Preserve the network location, if any, given in the Document for
public access to a Transparent copy of the Document, and likewise
the network locations given in the Document for previous versions
it was based on. These may be placed in the “History” section.
You may omit a network location for a work that was published at
least four years before the Document itself, or if the original
publisher of the version it refers to gives permission.

For any section Entitled “Acknowledgements” or “Dedications”, Preserve
the Title of the section, and preserve in the section all the
substance and tone of each of the contributor acknowledgements and/or
dedications given therein.

Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers
or the equivalent are not considered part of the section titles.

Delete any section Entitled “Endorsements”. Such a section
may not be included in the Modified Version.

Do not retitle any existing section to be Entitled “Endorsements” or
to conflict in title with any Invariant Section.

Preserve any Warranty Disclaimers.

If the Modified Version includes new front-matter sections or
appendices that qualify as Secondary Sections and contain no material
copied from the Document, you may at your option designate some or all
of these sections as invariant. To do this, add their titles to the
list of Invariant Sections in the Modified Version's license notice.
These titles must be distinct from any other section titles.

You may add a section Entitled “Endorsements”, provided it contains
nothing but endorsements of your Modified Version by various
parties—for example, statements of peer review or that the text has
been approved by an organization as the authoritative definition of a
standard.

You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list
of Cover Texts in the Modified Version. Only one passage of
Front-Cover Text and one of Back-Cover Text may be added by (or
through arrangements made by) any one entity. If the Document already
includes a cover text for the same cover, previously added by you or
by arrangement made by the same entity you are acting on behalf of,
you may not add another; but you may replace the old one, on explicit
permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License
give permission to use their names for publicity for or to assert or
imply endorsement of any Modified Version.

COMBINING DOCUMENTS

You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified
versions, provided that you include in the combination all of the
Invariant Sections of all of the original documents, unmodified, and
list them all as Invariant Sections of your combined work in its
license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and
multiple identical Invariant Sections may be replaced with a single
copy. If there are multiple Invariant Sections with the same name but
different contents, make the title of each such section unique by
adding at the end of it, in parentheses, the name of the original
author or publisher of that section if known, or else a unique number.
Make the same adjustment to the section titles in the list of
Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled “History”
in the various original documents, forming one section Entitled
“History”; likewise combine any sections Entitled “Acknowledgements”,
and any sections Entitled “Dedications”. You must delete all
sections Entitled “Endorsements.”

COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this
License in the various documents with a single copy that is included in
the collection, provided that you follow the rules of this License for
verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute
it individually under this License, provided you insert a copy of this
License into the extracted document, and follow this License in all
other respects regarding verbatim copying of that document.

AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate
and independent documents or works, in or on a volume of a storage or
distribution medium, is called an “aggregate” if the copyright
resulting from the compilation is not used to limit the legal rights
of the compilation's users beyond what the individual works permit.
When the Document is included in an aggregate, this License does not
apply to the other works in the aggregate which are not themselves
derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these
copies of the Document, then if the Document is less than one half of
the entire aggregate, the Document's Cover Texts may be placed on
covers that bracket the Document within the aggregate, or the
electronic equivalent of covers if the Document is in electronic form.
Otherwise they must appear on printed covers that bracket the whole
aggregate.

TRANSLATION

Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section 4.
Replacing Invariant Sections with translations requires special
permission from their copyright holders, but you may include
translations of some or all Invariant Sections in addition to the
original versions of these Invariant Sections. You may include a
translation of this License, and all the license notices in the
Document, and any Warranty Disclaimers, provided that you also include
the original English version of this License and the original versions
of those notices and disclaimers. In case of a disagreement between
the translation and the original version of this License or a notice
or disclaimer, the original version will prevail.

If a section in the Document is Entitled “Acknowledgements”,
“Dedications”, or “History”, the requirement (section 4) to Preserve
its Title (section 1) will typically require changing the actual
title.

TERMINATION

You may not copy, modify, sublicense, or distribute the Document
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense, or distribute it is void, and
will automatically terminate your rights under this License.

However, if you cease all violation of this License, then your license
from a particular copyright holder is reinstated (a) provisionally,
unless and until the copyright holder explicitly and finally
terminates your license, and (b) permanently, if the copyright holder
fails to notify you of the violation by some reasonable means prior to
60 days after the cessation.

Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.

Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, receipt of a copy of some or all of the same material does
not give you any rights to use it.

FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions
of the GNU Free Documentation License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns. See
http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number.
If the Document specifies that a particular numbered version of this
License “or any later version” applies to it, you have the option of
following the terms and conditions either of that specified version or
of any later version that has been published (not as a draft) by the
Free Software Foundation. If the Document does not specify a version
number of this License, you may choose any version ever published (not
as a draft) by the Free Software Foundation. If the Document
specifies that a proxy can decide which future versions of this
License can be used, that proxy's public statement of acceptance of a
version permanently authorizes you to choose that version for the
Document.

RELICENSING

“Massive Multiauthor Collaboration Site” (or “MMC Site”) means any
World Wide Web server that publishes copyrightable works and also
provides prominent facilities for anybody to edit those works. A
public wiki that anybody can edit is an example of such a server. A
“Massive Multiauthor Collaboration” (or “MMC”) contained in the
site means any set of copyrightable works thus published on the MMC
site.

“CC-BY-SA” means the Creative Commons Attribution-Share Alike 3.0
license published by Creative Commons Corporation, a not-for-profit
corporation with a principal place of business in San Francisco,
California, as well as future copyleft versions of that license
published by that same organization.

“Incorporate” means to publish or republish a Document, in whole or
in part, as part of another Document.

An MMC is “eligible for relicensing” if it is licensed under this
License, and if all works that were first published under this License
somewhere other than this MMC, and subsequently incorporated in whole
or in part into the MMC, (1) had no cover texts or invariant sections,
and (2) were thus incorporated prior to November 1, 2008.

The operator of an MMC Site may republish an MMC contained in the site
under CC-BY-SA on the same site at any time before August 1, 2009,
provided the MMC is eligible for relicensing.

ADDENDUM: How to use this License for your documents

To use this License in a document you have written, include a copy of
the License in the document and put the following copyright and
license notices just after the title page:

Copyright (C) yearyour name.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled ``GNU
Free Documentation License''.

If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts,
replace the “with...Texts.” line with this:

with the Invariant Sections being list their titles, with
the Front-Cover Texts being list, and with the Back-Cover Texts
being list.

If you have Invariant Sections without Cover Texts, or some other
combination of the three, merge those two alternatives to suit the
situation.

If your document contains nontrivial examples of program code, we
recommend releasing these examples in parallel under your choice of
free software license, such as the GNU General Public License,
to permit their use in free software.